Employer says 'Microsoft are retiring all legacy protocols'

After years of using K-9 to connect to my employer’s server via IMAP, I am now told that ‘Microsoft are retiring all legacy protocols’. This will affect: IMAP4, POP3, Exchange ActiveSync, Exchange Web Services, Outlook Anywhere, MAPI over HTTP. As usual, in its advice the IT department assumes we are all using or are happy to use Outlook or a browser. Will there be a way left for K-9 to access my email? I would hate to be forced to leave K-9 (and Thunderbird).

1 Like

Could it be that it is related to this?

As far as I understand it is talking about future requirement of OAuth2 instead of Basic authentication. And they write this for

Move away from these protocols as they don’t enable full features.
Move to OAuth 2.0 for POP/IMAP when your client app supports it.

And K9 already suppprts OAuth 2 for Microsoft.


I hope you are right. The email I received says this change will ‘affect’ IMAP etc. but it also says they will ‘retire’ these protocols. Is there a protocol that Outlook supports and K-9 doesn’t? I am expecting now clarification from IT. Fingers crossed!

i’m with stphn, i haven’t seen anything to indicate that they have come up with their own mail protocol (and i will say, a very scary concept) and that the “protocol” change referenced is authentication-specific. m$ has indicated that they are turning off “basic authentication”, including app-passwords, “in the fall” and only supporting OAuth 2 at this point (for both m$ and client hosted servers).


Also, the email I received says the change will happen on 1 October which matches what m$ say in their publicity. :crossed_fingers:

Wrt dropped protocols, there is a bit of truth to this… With the latest updates to Exchange Server 2019, TLS 1.1 will be dropped. Thus, only TLS 1.2 is supported.

This means that any older Android device running KitKat or older will not be able to connect to Exchange Server 2019 on TLS. There are a few tricks to enable TLS 1.2 on KitKat, but they do require rooting the device.

This comes on top of the OAuth changes mentioned here: https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-roadmap-update/ba-p/3421389

If you are still on Exchange Server 2016 or even 2013, you can still connect on TLS 1.0 (very insecure) or 1.1 (unsecure), but you should consider upgrading.

1 Like


Microsoft may be using imprecise language to create confusion and drive more users away from Outlook alternatives :slight_smile:

What Microsoft refers to as “legacy protocols” in the context of IMAP are clients that do not implement a preliminary OAUTH2 flow (through a web UI) to acquire an access token (or renew it). Once the token is acquired, it is injected in the IMAP conversation through an AUTHENTICATE command according to the XASL OAUTH2 specification and that’s it, the client is connected.

From what I noticed when connecting to Gmail accounts, K9 already implements this extension and can reach any mail provider that respects this protocol. I can only assume/hope that Microsoft does the same, so no worries :slight_smile:

I can confirm this. Both K-9 and Thunderbird support OAUTH2 on IMAP but which applications are allowed to connect is determined by the provider. I had to apply and explain why I use applications other than Outlook before they authorised access. I am not sure if authorisation applies to applications (ie if I and others can now install and reinstall K-9 on any number of systems) or setups (ie if I need re-authorisation every time I reinstall K-9 even on the same phone). I know that K-9 and Thunderbird had to be authorised separately, so authorisation does not seem to apply to user IDs.

All this is true for the specific provider. Microsoft may have options for any combination of the above scenarios.

Interestingly, out of 1000s of university students and staff, apparently I was the first one to request this, which is why it took IT a while to figure out what I was asking them to do. That was several weeks after the change to enforcing OAUTH2 happened. That probably says something about how many users use applications other than Outlook.